How to File a CCPA/CPRA Data Deletion Request in CA

Step-by-step guide to filing a CCPA/CPRA data deletion request in California, including data brokers, the CPPA complaint process, and follow-up steps.

How to File a CCPA/CPRA Data Deletion Request in CA

⏱ 11 min read

If you’ve ever wondered exactly how much of your personal information is floating around in corporate databases, the answer is probably: more than you’d like. From data brokers selling your home address to advertising networks tracking your browsing habits, California residents have accumulated digital footprints across hundreds of companies. Fortunately, California law gives you real, enforceable power to fight back.

The California Consumer Privacy Act (CCPA), significantly strengthened by the California Privacy Rights Act (CPRA), grants residents the legal right to demand that businesses delete the personal information they’ve collected. This isn’t a polite suggestion—it’s a legal right enforced by the California Privacy Protection Agency (CPPA), with real penalties for noncompliance.

This guide walks you through exactly how to file a CCPA/CPRA data deletion request in California, step by step, including which companies to target first, what forms and language to use, how long businesses have to respond, and what to do if they ignore you. Whether you’re trying to scrub your data from a people-search site or shut down a retailer’s marketing database, this is your actionable roadmap.

Understanding Your Rights Under CCPA/CPRA Before You File

Before sending a single request, it’s essential to understand what the law actually entitles you to. The CCPA took effect January 1, 2020, and was substantially amended by the CPRA, which took full effect January 1, 2023, and created the California Privacy Protection Agency (CPPA) as the primary enforcement body. Together, these laws form the backbone of the strongest consumer privacy framework in the United States.

Under CPRA, California residents have the right to:

  • Request deletion of personal information a business has collected from you
  • Request correction of inaccurate personal information
  • Know what data has been collected, sold, or shared, and with whom
  • Opt out of the sale or sharing of personal information (including for cross-context behavioral advertising)
  • Limit use of sensitive personal information, such as precise geolocation, health data, or Social Security numbers

The law applies to any for-profit business that does business in California and meets at least one of these thresholds: annual gross revenue over $26,625,000 (CPI-adjusted threshold effective January 1, 2025), buys/sells/shares personal information of 100,000+ consumers or households, or derives 50%+ of annual revenue from selling or sharing personal information. This means it covers most major retailers, tech platforms, data brokers, and financial services companies—but not every small business you interact with.

Important exceptions exist. Businesses can deny deletion requests if the data is needed to complete a transaction, detect security incidents, comply with a legal obligation (like tax recordkeeping under IRS rules), or exercise free speech. For example, if you ask your bank to delete records tied to a mortgage, they can legally refuse because federal law requires retention of certain financial records for years. Knowing these carve-outs in advance prevents frustration when a legitimate deletion request gets partially denied.

Step-by-Step: How to Submit a CCPA/CPRA Deletion Request

Filing a request is more procedural than most people expect, and doing it correctly increases your odds of a complete, timely deletion. Here is the exact process.

Step 1: Identify the business and locate their privacy request mechanism.

Under CPRA, covered businesses must provide at least two methods for submitting requests, and if they operate a website, one must be an online form or a “Do Not Sell or Share My Personal Information” link, typically in the footer. Look for pages titled “Your Privacy Rights,” “California Privacy Rights,” or “Do Not Sell My Info.”

Step 2: Choose your submission channel.

Most large companies now offer a dedicated web form (common with retailers like Target or Best Buy) or a toll-free number. If no form exists, email the company’s designated privacy contact—often privacy@[company].com—or send a written letter to their registered agent, which you can look up via the California Secretary of State business search.

Step 3: Draft your request using specific legal language.

Your request should explicitly invoke your rights. Example template:

“Pursuant to the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) as amended by the California Privacy Rights Act, I am requesting that you delete all personal information you have collected about me. Please confirm my identity verification requirements and provide written confirmation once deletion is complete.”

Step 4: Complete identity verification.

Businesses are legally permitted to verify your identity before deleting data, especially for sensitive categories. Expect to provide your name, email, and sometimes the last four digits of an account number. Never send your full Social Security number over an unencrypted web form—reputable companies will not ask for it via plain email.

Step 5: Track your submission and calendar the deadline.

Businesses must confirm receipt within 10 business days and substantively respond within 45 calendar days, with a possible 45-day extension for complex requests (90 days total). Save confirmation emails, screenshots, and ticket numbers.

Step 6: Review the response and follow up if incomplete.

If the business says data was deleted, ask for written confirmation. If they claim an exemption applies, they must specify which one.

Real-World Example: Deleting Your Data From a People-Search Broker

Data brokers like Whitepages, Spokeo, and MyLife aggregate public records—court filings, property deeds, voter registrations—into searchable profiles containing your address, phone number, relatives’ names, and even estimated income. These sites are prime targets for CCPA deletion requests because they profit directly from selling your personal information.

Let’s walk through a concrete example using a fictional but representative broker scenario modeled on real opt-out processes.

Step 1: Search your name on the broker’s site to locate your profile. Copy the exact URL—brokers often require this to locate your record in their system.

Step 2: Navigate to the site’s opt-out or “Privacy Rights” page. Most data brokers maintain a dedicated CCPA opt-out form separate from their general contact page, per Cal. Civ. Code § 1798.105.

Step 3: Submit the deletion request with your full name, current and past city/state, date of birth (if requested), and the profile URL. Some brokers require email verification via a confirmation link.

Step 4: Screenshot the confirmation page and save the confirmation email. Data brokers process thousands of requests, and having documentation matters if the listing reappears.

Step 5: Check back in 30-45 days. It’s common for brokers to remove the public-facing listing within days but retain backend data until the legal response deadline.

Step 6: Because brokers frequently re-scrape public records and regenerate profiles every few months, set a recurring calendar reminder every 90 days to search your name again.

Given there are over 200 active data brokers in the US, manually filing individual CCPA requests with each one is extremely time-consuming. This is why many privacy-conscious Californians use automated removal services like Incogni or DeleteMe, which file CCPA/CPRA and other state-law deletion requests on your behalf across dozens of broker databases simultaneously, then provide ongoing monitoring since brokers frequently re-list your information from new public records.

Filing Requests With Data Brokers Registered Under California’s Delete Act

California passed an additional law—the Delete Act (SB 362)—that works alongside CCPA/CPRA specifically for data brokers. On January 1, 2026, the CPPA launched the “DROP” (Delete Request and Opt-out Platform), a centralized mechanism allowing consumers to submit a single deletion request that reaches every registered data broker in California at once, rather than filing hundreds of individual requests.

Until data brokers are required to process DROP requests (starting August 1, 2026), here’s how to handle broker-specific deletion today:

Step 1: Check the CPPA’s data broker registry. All brokers operating in California must register annually with the CPPA and pay a registration fee. You can view the current registry on the CPPA’s official website to confirm a company is a legitimate, legally accountable data broker.

Step 2: File individual requests with high-priority brokers first. Focus on brokers most likely to expose sensitive information: Acxiom, LexisNexis Risk Solutions, and Epsilon Data Management are among the largest data aggregators feeding information to marketers, insurers, and background-check companies.

Step 3: Use certified mail for brokers without functional web forms. Some smaller brokers registered with the CPPA still lack proper digital infrastructure. Sending a physical letter via USPS certified mail creates a legally defensible paper trail proving delivery.

Step 4: Report non-compliant brokers to the CPPA. If a registered broker ignores your request past the 45-day window, file a complaint directly with the CPPA through their consumer complaint portal. Under the Delete Act, non-compliant data brokers face administrative fines of $200 per day for failing to register, plus $200 per deletion request per day for failing to process them (Cal. Civ. Code § 1798.99.82).

Step 5: Use the DROP portal. The consumer portal is already live, and California residents can submit one universal deletion request covering every registered broker — brokers must begin processing these requests by August 1, 2026—the consumer-facing DROP portal is already live, and brokers must begin processing requests by August 1, 2026.

What to Do When a Business Denies or Ignores Your Deletion Request

Not every request goes smoothly. Businesses sometimes deny requests improperly, cite vague exemptions, or simply go silent past the legal deadline. Here’s your escalation path.

Step 1: Request a written explanation. Under CCPA regulations, if a business denies your deletion request in whole or in part, they must explain the basis for denial in their response—not just say “denied.”

Step 2: Verify the exemption is legitimate. Common legitimate exemptions include ongoing transactions, legal retention requirements (like the seven-year record retention many financial institutions follow under federal banking regulations), fraud prevention, or free expression protections. If a company cites “we need it for marketing purposes,” that is not a valid CCPA exemption and should be challenged.

Step 3: Send a follow-up citing specific statute sections. Reference Cal. Civ. Code § 1798.105(a) directly and request the business identify precisely which subsection exemption applies to your data.

Step 4: File a complaint with the California Privacy Protection Agency. If the business misses the 45/90-day window entirely or provides an invalid denial, submit a formal complaint at cppa.ca.gov. Include your original request, confirmation of submission date, and any correspondence.

Step 5: Consider the California Attorney General’s office for non-CPPA matters. While CPPA now handles most enforcement, the California Attorney General retains authority over certain violations and maintains a consumer complaint portal as well.

Step 6: Know your private right of action limits. CCPA’s private right of action is narrow—it primarily applies to data breaches involving unencrypted personal information, not general deletion request denials. For deletion disputes, regulatory complaints to the CPPA are your most effective and cost-free remedy.

Protecting Your Financial Accounts Alongside Your Privacy Data

Filing deletion requests protects your data trail, but savvy identity thieves often combine leaked personal information with financial fraud. If you’re already cleaning up your privacy footprint, pair it with these financial safeguards.

Step 1: Freeze your credit with all three bureaus. Visit Equifax, Experian, and TransUnion individually—freezing with one does not freeze the others. This is free under federal law (Economic Growth, Regulatory Relief, and Consumer Protection Act, 2018) and prevents new accounts from being opened using your leaked SSN.

Step 2: Set up fraud alerts as a lighter-touch alternative. If a full freeze feels excessive, a 1-year fraud alert (renewable) requires lenders to verify your identity before extending credit.

Step 3: Watch for Zelle and Venmo impersonation scams tied to leaked data. Once your name, phone number, and partial account details leak via a data broker, scammers use them to impersonate your bank via text, asking you to “confirm” a Zelle transfer. Banks participating in Zelle will never ask you to send yourself money to “reverse” a fraudulent charge—that’s always a scam script.

Step 4: Monitor for IRS and SSA phishing that references your real data. Scammers who’ve scraped broker data often reference your real address or employer to appear legitimate in fake IRS notices. The IRS will never initiate contact via email, text, or social media requesting personal information—always verify through IRS.gov directly.

Key Takeaways

  • California residents have a legal right under CCPA/CPRA to request deletion of personal information from covered businesses, enforced by the CPPA.
  • Businesses must confirm receipt within 10 business days and respond substantively within 45 days (extendable to 90 for complex requests).
  • Data brokers are prime targets for deletion requests since they profit directly from selling your personal data; check the CPPA’s public registry to confirm legitimacy.
  • Automated services like Incogni and DeleteMe can handle bulk broker deletion requests, saving significant time versus manual filing.
  • California’s Delete Act (SB 362) will eventually let you file one universal request through the DROP platform covering all registered brokers.
  • If a business denies or ignores your request improperly, file a complaint directly with the CPPA rather than assuming you have no recourse.
  • Pair privacy cleanup with credit freezes at Equifax, Experian, and TransUnion to close the loop between data exposure and financial fraud risk.

Conclusion

Learning how to file a CCPA/CPRA data deletion request in California puts real, legally-backed power back in your hands. From identifying covered businesses and drafting a properly worded request, to escalating unresponsive companies through the CPPA, every step outlined here is designed to be actionable today—not theoretical. Data brokers and marketing companies will not delete your information voluntarily; they profit from keeping it. Start with the highest-risk targets—people-search sites and major data aggregators—then layer in credit freezes and scam awareness for full-spectrum protection. Set a recurring 90-day reminder to re-check your exposure, because deleted data has a way of resurfacing. Your privacy is a right under California law—exercise it.


About the author

Ryan Mercer — covers digital privacy and consumer security — data broker removal, breach response, and protecting your money online — for everyday US internet users.

Disclaimer: The content on this site is for general informational purposes only and is not legal or professional security advice. Laws vary by state; verify current requirements for your situation.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *